Friday, January 18, 2008

Let's talk Web Application Firewalls (WAFs)

Over the last month the level of chatter about Web Application Firewalls (WAFs) has increased significantly. At the end of last year I’d receive 1-2 emails per week with questions, but over the last month its up to 2 per day - not to mention all the mailing list chatter. I like to stay up-to-date on the WAF market, even though I’m not in that business, because the value proposition is complementary to mine (website vulnerability assessment). Just like network security with perimeter firewalls, patch management, and vulnerability scanning each is important and fills a unique niche. At first I thought the WAF interest up tick was mainly due to the looming PCI 6.6 deadline (June 30, 2008), not so much, the reasons are more fundamental.

You see, the InfoSec people responsible for Web security were usually not on the job when their employers’ websites were developed (insecurely). They were later hired in after the fact to solve the problem, typically once identified by a VA solution or maybe an incident, when preventative software security measures required massive code rewrites. Most of them first attempt an awareness program, a noble pursuit with long-term benefits, but doesn’t solve the immediate problems. The problems are too many websites, with too many vulnerabilities, developers who don’t work for them, and probably don’t care about Web application security anyway. In that position WAFs sound like pretty darn good option since it provides them with direct control.

Another interesting thing about WAF technology is that it’s been around for roughly 10 years, still their market really hasn’t taken off (roughly 1,000 deployments by my estimates), but it hasn’t gone away either. That’s probably because the idea of website security without having to fix the code is extremely compelling. Of course there are WAF detractors who say it’s because WAFs don’t do what they promise, are difficult to manage, and people shouldn’t use them anyway because their approach just serves as a band-aid. The fact is the WAF industry has a lot of baggage they must overcome originating from the early days, much of which does not hold true today. A lot has improved over the last several years and I’ve had the benefit of demo’ing these products personally. They have some serious power and flexibility.

Here’s the deal, nothing in security is a silver bullet. Everyone knows and gets that. So when a WAF isn’t perfect at something, doesn’t block every attack all the time, and can’t be plugged in and forgotten. That’s to be expected! And that’s what its all about, properly setting expectations. We really need to know what they can and can’t do and how well. Because from where I sit, we NEED WAFs to work, if nothing else but to provide development groups at least a few days of breathing room. I mean, consider the thousands of issues posted on sla.ckers.org, or XSSed.com, or in the WhiteHat Sentinel database. Is anyone really under the impression these will get fixed one at a time or anytime soon? And we’re just talking about the XSS. What about the rest?

I like WAFs because they provide Web security experts one more option to get their job done. Dozens of open source and commercial WAFs are available, the most prominent names being Breach, Citrix, F5, and Imperva. Each has its own strong points and better at doing something depending on the current situation. Navigating that environment is the tough part and the more VA solutions deployed like WhiteHat Sentinel, the more we’ll understand that remediation is going to be a huge issue to tackle in the years to come.

You must have read my mind - I've also had a few requests about WAF's as well, and wrote this blog post (yes, I'm blogging now - I've left too many comments on yours and RSnakes site not to at least think about it :))

Another point is that WAFs are usually deployed with "default permit" as opposed to a network firewall who is set to "default forbidden". Now running "default forbidden" is a tough job which demands a lot of knowledge about the application.

Do the autolearn-modes of the commercial products provide real help in such a positive security modeal (as opposed to negative, signature based, default permit security model)? What else is out there?

On your first point I completely agree, though I think with WAFs things are a bit more subtle. In my experience some of their rules are in default deny most of the time (ie, protocol enforcement) and the more application specific ones are in default allow. The only other thing I'd add in addition to a lot of app knowledge is constant management to keep up with the changes. The magic learning stuff does indeed help, as opposed to having nothing at all. The only other type of enforcement I've seen is the URL/Cookie is the on-the-fly encryption variety.

Yes, I agree with your sentiment about web application firewalls gaining in popularity. PCI 6.6 is a part of it, naturally, but there is something else underneath. A web application firewall developer myself, I have long been frustrated with the slow adoption of this technology, and given the topic a lot of thought. Inspired by your blog post I put my own together today:

By the way, there is nothing wrong with deploying a WAF in detection-only mode. On the contrary. Gaining real-time visibility of your HTTP networks is a major part of WAF appeal. There is no doubt in my mind that everyone needs a WAF just for this purpose.

Ivan, absolutely. Visibility is a huge deal. Not everyone appreciates that aspect right away.

From you blog I think the main reason why WAF sales haven't taken off has more to do with webappsec VA having not yet reached critical mass. VA is growing, but has not yet full demonstrated the severity and pervasiveness of the problem. And as a result, has not proven need for remediation (WAFs).

I believe this because if we think about to network security of the early 90s, firewall sales didn't take off until everyone and their brother was using SATAN, Nessus, ISS, and the like. VA proved need for firewall. I think its the same for webappsec.

Lastly, it also corresponds to my customers seeming to be percentage wise more interested in WAFs lately than the general populous.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!